Show Menu

nmap cheatsheet Cheat Sheet by

Nmap CheatSheet
security     nmap     hacking

Basic Scanning with Nmap

Scan a single target
nmap [target]
Scan multiple targets
nmap [targe­t1,­tar­get­2,etc]
Scan a list of targets
nmap -iL [hackl­ist.txt]
Scan a range of hosts
nmap [range of IP addresses]
Scan an entire subnet
nmap [IP addres­s/cdir]
Scan random hosts
nmap -iR [number]
Excl­uding targets from a scan
nmap [targets] –exclude [targets]
Excl­uding targets using a list
nmap [targets] –exclu­defile [list.txt]
Perform an aggressive scan
nmap -A [target]
Scan an IPv6 target
nmap -6 [target]

Output Options

Save output to a text file
nmap -oN [scan.txt] [target]
Save output to a xml file
nmap -oX [scan.xml] [target]
Grepable output
nmap -oG [scan.txt] [target]
Output all supported file types
nmap -oA [path/­fil­ename] [target]
Period­ically display statistics
nmap –stats­-every [time] [target]
133t output
nmap -oS [scan.txt] [target]

Nmap Scripting Engine

Execute individual scripts
nmap –script [scrip­t.nse] [target]

Execute multiple scripts
nmap –script [expre­ssion] [target]

Execute scripts by category
nmap –script [cat] [target]

Execute multiple scripts catego­ries
nmap –script [cat1,­cat2, etc]

Trou­ble­shoot scripts
nmap –script [script] –scrip­t-trace [target]

Update the script database
nmap –scrip­t-u­pdatedb

Script catego­ries

Version Detection with Nmap

Oper­ating system detect­ion
nmap -O [target]
Attempt to guess an unknown
nmap -O –ossca­n-guess [target]
Service version detect­ion
nmap -sV [target]
Trou­ble­sho­oting version scans
nmap -sV –versi­on-­trace [target]
Perform a RPC scan
nmap -sR [target]

Firewall Evasion Techniques with Nmap

Fragment packets
nmap -f [target]
Specify a specific MTU
nm ap –mtu [MTU] [target]
Use a decoy
nmap -D RND: [number] [target]
Idle zombie scan
nmap -sI [zombie] [target]
Manually specify a source port
nmap –sourc­e-port [port] [target]
Append random data
nmap –data-­length [size] [target]
Rand­omize target scan order
nmap –rando­miz­e-hosts [target]
Spoof MAC Address
nmap –spoof-mac [MAC|0­|ve­ndor] [target]
Send bad checks­ums
nmap –badsum [target]


Comparison using Ndiff
ndiff [scan1.xml] [scan2.xml]
Ndiff verbose mode
ndiff -v [scan1.xml] [scan2.xml]
XML output mode
ndiff –xml [scan1.xm] [scan2.xml]

About me

Job Profile
Security Researcher & Developers

Nmap Discovery Options

Perform a ping scan only
nmap -sP [target]
Don’t ping
nmap -PN [target]
nmap -PS [target]
TCP ACK ping
nmap -PA [target]
UDP ping
nmap -PU [target]
SCTP Init Ping
nmap -PY [target]
ICMP echo ping
nmap -PE [target]
ICMP Timestamp ping
nmap -PP [target]
ICMP address mask ping
nmap -PM [target]
IP protocol ping
nmap -PO [target]
ARP ping
nmap -PR [target]
nmap –trace­route [target]
Force reverse DNS resolu­tion
nmap -R [target]
Disable reverse DNS resolu­tion
nmap -n [target]
Alte­rnative DNS lookup
nmap –syste­m-dns [target]
Manually specify DNS servers
nmap –dns-s­ervers [servers] [target]
Create a host list
nmap -sL [targets]

Download the nmap cheatsheet Cheat Sheet

2 Pages

PDF (recommended)

Alternative Downloads

Share This Cheat Sheet!



acheng acheng, 11:05 2 May 16

For the version I'm using (nmap 7.0), ping scan changed from -sP to -sn

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets